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IN THE CLAIMS: 
What is claimed is: 

1. (Cancelled) 

2. (Currently amended) The computer-implemented method of claim 1, claimed, wherein 
the severity levels are calculated based on at least one of the number of event sets within each of 
the groups, die source attribute of the event sets within each of the groups, the target attribute of 
the event sets within each of the groups, and the event category attribute of the event sets within 
each of the groups. 

I. 

3 . (Currently amended) The computer-implemented method of oloim I t claim 3^. wherein 
the events include at least one of a web server event, an electronic mail event, a Trojan horse, 
denial of service, a virus, a network event, an authentication failure, and an access violation. 

I 

4. (Currently amended) The computer-implemented method of oloim 1, claim if further 
comprising: 

calculating the threshold value based on at least one of the source attribute of the event 
seta within the group, the target attribute of the event sets within the group, the event category 
attribute in each event set of the group, and the number of attributes in each event set of the 
group that are held constant across all of the event sets in the group. 

5. (Currently amended) The computer-implemented method of oloim L claims, wherein 
the target attribute represents one of a computer and a collection of computers. 

< 

6. (Currently amended) The computer-implemented method of olairo - U claim yi. wherein 
the source attribute represents one of a computer and a collection of computers, 

i 

7. (Currently amended) The computer-implemented method of oloim 1, claim Mlfurther 
comprising: 
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aggregating a subset of the groups into a combined group. 
8-11 (Cancelled) 

)Z. (Curreatly amended) The computer program product of eiewa^cjajn^^whereinthe 
severity levels are calculated based on at least one of the number of event sets within each of the 
groups, the source attribute of the event sets within each of the groups, the target attribute of the 
event sets within each of the groups, and the event category attribute of the event sets within 
each of the groups. 

(Currently amended) The computer program product of olaim 1 h clainiH wherein the 
events include at least one of a web server event, an electronic mail event, a Trojan horse, denial 
of service, a virus, a network event, an authentication failure, and an access violation. 

jtf. (Currently amended) The computer program product of olaim 11, clain^X* wherein the 
computer-readable instructions further include: 

sixth instructions for calculating the threshold value based on at least one of the source 
attribute of the event sets within the group, the target attribute of the event sets within the group, 
the event category attribute in each event set of the group, and the number of attributes in each 
event set of the group that are held constant across all of the event sets in the group. 

1 IjX (Currently amended) The computer program product of olnim 11, clato^Ht wherein the 
target attribute represents one of a computer and a collection of computers. 
— I'D 
ytf. (Currently amended) The computer program product of olaim 11, glajm^Lwherein the 
source attribute represents one of a computer and a collection of computers. 

^7? (Currently amended) The computer program product of claim 11, claim 34. wherein the 
computer-readable instructions further include; 

seventh instructions for aggregating a subset of the groups into a combined group. 
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18-21 (Cancelled) 

ax . a 

(Currently amended) The data processing system of olaimai, claim^ wherein the 
severity levels are calculated based on at least one of the number of event sets within each of the 
groups, the source attribute of the event sets within each of the groups, the target attribute of the 
event sets within each of the groups, and the event category attribute of the event sets within 
each of the groups. 

23, (Currently amended) The data processing system of olaim - 2h claim 37. wherein the 
events include at least one of a web server event, an electronic mail event, a Trojan horse, denial 
of service, a virus, a network event, an authentication failure, and an access violation, 

(Currently amended) The data processing system of claim 31^ claim 3^ wherein the 
processing unit executes the set of instructions to perform the act of: 

calculating the threshold value based on at least one of the source attribute of the event 
sets within the group, the target attribute of the event sets within the group, the event category 
attribute in each event set of the group, and the number of attributes in each event set of the 
group that are held constant across all of the event sets in the group* 

(Currently amended) The data processing system of olaim21, claim yf. w herein the 
target attribute represents one of a computer and a collection of computers. 

y6* (Currently amended) The data processing system of olaim21, ^\m^yf[ wherein the 
source attribute represents one of a computer and a collection of computers. 

If ■ 

27. (Currently amended) Hie data processing system of olnim 31. claim 37. wherein the 
processing unit executes the set of instructions to perform the act of: 
aggregating a subset of the groups into a combined group. 

28-30 (Cancelled) 
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^ (Currendy amended) A computer-im plemented method in a date precising 
r ^nrring security situations, comprising the conrtttiter-imnlemented steps of; Tho oomputor - 
implemontod method of olaim U farther oomprioing; 

jti ^ first correlation server in a hierarchy of correlation s ervers, logging events hv Storing 
event attributes as an event set wherein each evq nj set include^ a source attribute, a target 
attribute and an event cat egory attribute: 

classifying events as groups bv aggregating events w ith at least one attribute within the 
event set a9 an identical value; 

calculating a resp ective severity level for each of the groups: 

calculating a delta severity for eac h group from the respective severity level and a 
respective prior severity level: 

for each group having a non-zero delta severity, propagating the respective delta severity 
to a higher-level corr elation server: 

receiving, in the higher-level correlation server, a plurality of delta packets from a 
plurality of lower-level correlation servers that include the first correlation server, wherein each 
delta packet contains the respective delta severity for each group of the respective lower-level 
correlation server that has a non-zero delta severity; 

performing a first mathematical operation on the plurality of delta packets to form a new 
delta packet; 

if the higher-level correlation server is the top level of the hierarchy of correlation 
servers, performing a second mathematical operation on the new delta packet and a stored 
severity packet to form a new severity packetj and 

if the higher-level correlation server is not the top level of the hierarchy of correlation 
servers, propagating the new delta packet to a higher-level correlation server. 

(Previously presented) The computer-implemented method of claim ^ wherein the first 
mathematical operation and the second mathematical operation are each one of addition, 
arithmetic mean, and,geometric mean. 
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(Previously presented) The computer-inipleniented method of clairo^ further 
comprising presenting to an operator each group which has a respective severity value in the new 
severity packet that i9 greater than a respective threshold. 

J4. (Currently amended) A computer p rogram product comprising: The computer program 
p roduct of olaim 1U furthofioomprifling inotruoticms for 

a recnrdable-tvpe media having computer-readable instructions includfr r 

first instructions, in a first correlation server in a hierarchy of correlation servers, for 
logging events hv storing event attrib utes as an event set wherein each event set includes ft 
source attribute, a target attribute an d an event category attribute: 

second instructions for classifying events a s groups bv aggregating events with at foagt 
one attribute within the event set as an identical value: 

third instru ctions for calculating a severity level for each of the groups: 

fourth instruction s for calculating a delta severity for each group from the respective 
severity level and a prio r severity level: and 

flfth instructions for propagating, for each group having a non-zero delta severity, the 
delta severity to a higher-level correlation server 

sixth instructions for r eceiving, in the higher-level correlation server, a plurality of delta 
packets from a plurality of lower-level correlation servers that include the first correlation server, 
wherein each delta packet contains the respective delta severity for each group of the respective 
lower-level correlation server that has a non-zero delta severity; 

seventh instructions for p erforming a first mathematical operation on the plurality of 
delta packets to form a new delta packet; 

if the data processing system is the top level of the hierarchy of servers, eighth 
instructions for p erforming a second mathematical operation on the new delta packet and a 
stored severity packet to form a new severity packet; and 

if the data processing system is not the top level of the hierarchy of servers, ninth 
instructions for_p re>pagating the new delta packet to a higher-level correlation server. 
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(Previously presented) The computer program product of claim pf, wherein the first 
mathematical operation and the second mathematical operation are each one of addition, 
arithmetic mean, and geometric mean. 

$ 1° 
y&. (Currently amended) The computer program product of claim ?4, further comprising 

instructions for p resenting to an operator each group that has a respective severity value in the 

new severity packet that is greater than a respective threshold. 



(Currently amended) £ data process ing system for reporting security events corflpnsins: 
Tho data processing oyotom of claim 31, further oomprisine t 
a first bus system: 
a first memory: 

a first processing unit connected as a first correlation server in a hierarchy of correlation 

servers, wherein the first processing unit include s at least one processor; and 
a first set of instructions within the first memory, 
a second bus system; 
a second memory; 

a second set of instructions within the second memory; and 
a second processing unit connected as the higher>level correlation server, 
wherein the first processing unit executes the first set of in structions to perform the acts 

oil 

lop ping events by storing event attrib utes as an event set, wherein each event set 
includes a source attribute, a ta rget attribute and an event category attribute; 

gjassifVing events as cou ps fav aggregating events with at least one attribute 
within the even t set as an identical value; 

calculating a severity level for each of the groups: 

c alculating a delta severity for each group fiom the respective severity level and a 
prior severity level; arid *^=*^^ 

for each group having a non-zero delta se verity^ propagating the delta severity to 
ft hipher-level correlation server. 



Page 7 of Id 
Black et al. - 09/942,633 



PAGE 9/12* RCVD AT 11/21/2005 4:11:39 PM [Eastern Standard Time] * SVR:U»TO-EFXRF-6/29 * DMS:2738300 * CSID:9?2 385 7766 1 DURATION (mm*ss):02*52 



Nov 21 2005 41 17PH YEE 8. ASSOCIATES, P.C. t972J 38S-7766 p. 10 



wherein the second processing unit executes the second set of instructions to perform the 

• acts of, 

receiving, from the first correlation server and a third correlation server, a first 
delta packet and a second delta packet, wherein said first delta packet contains the 
respective delta severity for each group of the first correlation server that has a non-zero 
delta severity and the second delta packet contains a respective delta severity for each 
group of the third correlation server that has a non-zero delta severity; 

performing a first mathematical operation on the first delta packet and the second 
delta packet to form a new delta packet; 

if the data processing system is the top level of a hierarchy of servers, performing 
a second mathematical, operation on the new delta packet and a stored severity packet to 
form a new severity packet; and 

^ if the data processing system is not the top level of a hierarchy of servers, 
propagating the new delta packet to a higher-level correlation server. 

^d. (Previously presented) The computer program product of claim^, wherein the first 
mathematical operation and the second mathematical operation are each one of addition, 
arithmetic mean, and geometric mean. 

n 'I 

^ (Previously presented) The computer program product of claim^Y, further comprising 
presenting to an operator each group which has a respective severity value in the new severity 
packet that is greater than a respective threshold. 
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